Agile Information Security researcher Pedro Ribeiro discovered the product suffers from a vulnerability that allows a remote, unauthenticated attacker to upload an arbitrary file to the system. The uploaded file is available in the server’s root directory at http://:8080/null and it gets executed with system privileges.

This remote code execution vulnerability is CVE-2016-1524 and has a CVSS score of 8.3. The hole can end up exploited by sending a specially crafted POST request to one of two Java servlets found in default NMS300 installations.

Another flaw identified by Ribeiro is a directory traversal (CVE-2016-1525) which allows an authenticated attacker to download any file from the system. The vulnerability can end up exploited by loading an arbitrary file from the server host to a predictable location in the web service from where it can be downloaded, according to the CERT Coordination Center at Carnegie Mellon University.

Ribeiro reported his findings to Netgear via CERT/CC in early December, however, the vendor has yet to release a patch. The expert has published Metasploit modules for the vulnerabilities.

Until a patch becomes available, users should ensure the web management interface of NMS300 is not exposed to the Internet or untrusted networks.